Hello
Currently running the following version of Apache HTTPd
httpd-2.4.6.89.el7-centos.x86_64
We have had a security scan which has identified the following vulnerabilities
Apache HTTPD: Weak Digest auth nonce generation in mod_auth_digest (CVE-2018-1312)
Apache HTTPD: Out of bound write in mod_authnz_ldap when using too small Accept-Language values (CVE-2017-15710)
Apache HTTPD: Possible out of bound read in mod_cache_socache (CVE-2018-1303)
Apache HTTPD: mod_session_cookie does not respect expiry time (CVE-2018-17199)
Are these currently in the build provided above? I can't see the CVE's in the change notes, but I can see they were patch on RedHat httpd24-httpd-2.4.34-7.el7
CVE Information:
https://access.redhat.com/security/cve/CVE-2018-1312 (Affected)
https://access.redhat.com/security/cve/CVE-2017-15710 (Affected)
https://access.redhat.com/security/cve/CVE-2018-1303 (Affected)
https://access.redhat.com/security/cve/CVE-2018-17199 (Affected)
Red Hat Security Advisories:
https://rhn.redhat.com/errata/RHSA-2018-3558.html
https://rhn.redhat.com/errata/RHSA-2018-3558.html
https://rhn.redhat.com/errata/RHSA-2018-3558.html
Apache CVE's
Re: Apache CVE's
None of those appear to be fixed in the base version of httpd. 3 of those 4 are all marked as severity: Low so I am unsurprised that they are not fixed. The 4th one is Moderate but the affected module is not enabled by default.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
-
- Posts: 2
- Joined: 2019/06/12 12:25:41
Re: Apache CVE's
Even on the update version 89 they are not patched?
Our security scan has them has severity High.
Re: Apache CVE's
Read the links you posted to the Redhat CVE pages, none of them are high.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke